01 Aug 2022

New Content

I’ve jumped back on the traditional-blog bandwagon, as I’m trying to wean myself off of big-tech social media in general and Twitter specifically.

One of the things I’ve been working on in my newly-freed-up time is migrating lots of notes and other bits of content that I created in my Evernote notebooks, and stick them up here on the blog, in case they might be of interest or use to someone.

So, as a result, you might see new stuff here more often! However, it might also look like crap!

It appears that the flavor of Markdown used by Obsidian, which is what I’m targeting when I export notes from Evernote, is slightly different from the flavor of Markdown used by Jekyll—at least the version I’m currently running. So stuff like tables and code blocks don’t look perfect yet.

But I am working on it, and we’ll see if getting Jekyll to play nice with Obsidian is enough of a pain that it pushes me to move to a different static site generator.

Read more »

28 Jul 2022

UEFI "Bootkit" Discovered in China

New cyber threat just dropped.

Kaspersky is reporting that they have discovered a novel type of UEFI-infecting low-level rootkit dubbed CosmicStrand, tentatively attributed to “an unknown Chinese-speaking threat actor”.

Nobody seems to have figured out how they infected the systems initially. The supposition is that there’s a vulnerability in a specific motherboard chipset that was used: “The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and we noticed that all these images are related to designs using the H81 chipset.”

From this, we can infer a couple of things:

• This might have been a targeted attack on someone using that particular chipset in their hardware;
• We shouldn’t assume that other hardware can’t be infected as well, it’s just that this particular variant was specific to that chipset;
• It also could be that someone had access to a bunch of similar motherboards, and designed a tool specifically for them.

They go on:

we assess that the modifications may have been performed with an automated patcher. If so, it would follow that the attackers had prior access to the victim’s computer in order to extract, modify and overwrite the motherboard’s firmware. This could be achieved through a precursor malware implant already deployed on the computer or physical access (i.e., an evil maid attack scenario). Qihoo’s initial report indicates that a buyer might have received a backdoored motherboard after placing an order at a second-hand reseller.

The supply chain compromise seems more likely than the Evil Maid scenario. Why go to the trouble of trying to sneak someone into an adversary’s office—a high-risk, clandestine operation—if you can just compromise the hardware as it’s leaving the factory? It’s probably much easier for Chinese intelligence to get access to the Gigabyte or Asus motherboard factory (or a shipping depot, or some other intermediary), than it is to get into whatever adversary they were targeting with this attack.

I tend to think that supply chain compromises are a significant problem, and not enough is really being done about it, probably because it’s very hard and very expensive to fix. It’s a classic “nobody wants to pay for it” problem, and so the problem just gets ignored. (Plus nobody wants to confront the obvious long-term solution, which is don’t have your critical infrastructure components manufactured in an adversary country, you dicknuts.)

Anyway, it seems like a pretty sophisticated bit of code:

CosmicStrand also seemingly attempts to disable PatchGuard, a security mechanism introduced to prevent modifications in key structures of the Windows kernel in memory. To do so, it locates ntoskrnl.exe’s KiFilterFiberContext function and modifies it so it returns without performing any work.

This shows the relative futility of trying to write software that runs on a possibly-infected machine to try and detect whether that machine is compromised. There’s just no way to reliably do that. It’s sort of like the DRM problem, where all you can do is play cat-and-mouse with the people trying to crack your increasingly-baroque but ultimately flawed ‘protection’ schemes. (And it should be noted that one of the scenarios that Trusted Computing Modules are marketed for is DRM enforcement, not just rootkit prevention and user security.)

PatchGuard was only added to Windows in 3Q2016, so we know that the malicious code was written—or at least updated—since that date.

Like most modern malware, the low-level rootkit contacts a C2 server to get the actual code to inject into the target’s operating system:

CosmicStrand retrieves its final payload by sending a specifically crafted UDP (preferably) or TCP packet to its C2 server, update.bokts.com.

This suggests to me that it wasn’t meant as a one-off tool, but rather as a weapon that could be used repeatedly against multiple targets in different scenarios, perhaps by less-sophisticated users than whoever actually developed the low-level UEFI code. Just speculation, however. And the dates that the C2 servers were up and running are awfully short, suggesting targeted or at least considered use.

This is odd, though:

all the victims in our user base appear to be private individuals (i.e., using the free version of our product) and we were unable to tie them to any organization or even industry vertical.

However, Kaspersky software is not widely used by the US government or major US corporations with Russian threat exposure, so I wouldn’t necessarily trust their data to be complete. Doesn’t mean they’re wrong, just that they likely have a blind spot where US NatSec interests are concerned. But the similarities to rootkits used by criminal / financially-motivated actors in China suggests that this isn’t some major nation-state’s top-shelf cyberweapon.

I can’t argue with Kaspersky’s conclusion and final question:

The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016 – long before UEFI attacks started being publicly described. This discovery begs a final question: if this is what the attackers were using back then, what are they using today?

If it’s worthwhile to use a persistent rootkit just to install a cryptominer on your computer to make someone a couple of bucks, imagine what someone with a more pointed interest in your activities could do.

Read more »

28 Jul 2022

Emacs Tables Cheat Sheet

In regular text mode, Emacs can create pretty decent-looking ASCII tables. They look like this:

+-----+--------------+-----------------------+ | ID | Username | Legal Name | +-----+--------------+-----------------------+ |001 |jdoe |Johnny Doe | +-----+--------------+-----------------------+ |002 |jfox |Jill Fox | +-----+--------------+-----------------------+ |003 |pverylon |Paul Verylongname | +-----+--------------+-----------------------+ |004 |bsimpson |Bart Simpson Jr. | +-----+--------------+-----------------------+

To insert one, type M-x table-insert.

There are a bunch of commands for changing the width and height of rows/columns, inserting more rows or columns, changing the justification of a row, cell, or column, etc. The easiest way to see them all is to type M-x table-TAB (where TAB means the tab key, so that it brings up the possible completion options, which are various table-related commands).

Markdown Mode

Tables work differently when in Markdown mode. If you try to create a regular ASCII table while in Markdown mode, it seems to try and create a table within another table if you press tab. So that’s probably not how you’re intended to do it…

There is actually an entire book dedicated to Markdown mode for Emacs.

To have Emacs assist with table creation, run markdown-insert-table, which will prompt for the table size/dimensions and let you start filling it in.

Alternately, if you type the header row yourself, then start the divider row by typing a pipe and a hyphen (|-), Emacs should recognize what you’re doing if you press tab, and fill in the rest of the divider row. Then it will move to the data rows and let you move back and forth through them with tab and shift-tab.

Here’s what a raw table looks like:

Text | Col One | Col Two | Col Three | |---------|------------|-----------| | Data 1 | Data 2 | Data 3 | | This | is | pretty | | neat! | Tab | even | | works | to go | forward | | Or | backwards! | DONE |

Which should be rendered by Markdown:

Markdown Mode Resources

• GitHub for markdown-mode - with good basic documentation in the README
• Guide to Markdown Mode for Emacs - pay-what-you-want ebook (minimum price $7.99 though!)
• Relevant Stack Overflow with some interesting tips, including how to automatically convert from text-mode “grid tables” to Markdown “pipe tables” and vice versa

Read more »